Authored by:

Categories

April 17, 2017

Over the last decade as the specter of cyber attacks has increased dramatically, financial institutions have been encouraged to look into the use of cyber fraud insurance as one means of minimizing risk. A recent decision by the 8th Circuit provides an interesting opportunity to see how such policies are going to be interpreted by the courts.

In 2011, an employee at Bellingham State Bank in Minnesota initiated a wire transfer through the Federal Reserve’s FedLine Advantage Plus system (FedLine). Wire transfers were made through a desktop computer connected to a Virtual Private Network device provided by the Federal Reserve. In order to complete a wire transfer via FedLine, two Bellingham employees had to enter their individual user names, insert individual physical tokens into the computer, and type in individual passwords and passphrases. In this instance the employee initiated the wire by inputting the passwords both for herself and the other employee and inserted both of the physical tokens. After initiating the wire the employee left the two tokens in the computer and left it running overnight. Upon returning the next day the employee discovered that two unauthorized wire transfers had been made from Bellingham’s Federal Reserve account to two different banks in Poland. Kirchberg was unable to reverse the transfers through the FedLine system. Kirchberg immediately contacted the Federal Reserve and requested reversal of the transfers, but the Federal Reserve refused. The Federal Reserve, however, did contact intermediary institutions to inform them that the transfers were fraudulent, and one of the intermediary institutions was able to reverse one of the transfers. The other fraudulent transfer was not recovered.

Bellingham promptly notified BancInsure of the loss and made a claim under their financial institution bond which provided coverage for losses caused by such things as employee dishonesty and forgery as well as computer system fraud. After an investigation, it was determined that a “Zeus Trojan horse” virus had infected the computer and permitted access to the computer for the fraudulent transfers. BancInsure denied the claim based on several exclusions in the policy including employee-caused loss exclusions, exclusions for theft of confidential information, and exclusions for mechanical breakdown or deterioration of a computer system. In essence, the policy does not cover losses whose proximate cause was employee negligence or a failure to maintain bank computer systems. Bellingham contested the denial and brought suit in federal court for breach of contract.

Categories

January 23, 2017

In early September 2016, the New York Department of Financial Services (“DFS”) proposed a set of data security regulations (the “Proposal”) that would govern financial institutions, banks, and insurance companies subject to the jurisdiction of the agency (“covered entities”). After receiving public comments, DFS revised and resubmitted the Proposal on December 28, 2016. If the Proposal ultimately goes into effect it would require that covered entities have a written information security policy (“WISP”) and outline specific provisions (substantive and procedural) that must be contained in that document. While the Proposal has garnered a great deal of public attention, the majority of the provisions in the latest version are not unique.

Prior to the Proposal at least four states already required that if a company collected financial information about consumers within their jurisdiction some, or all, of the company’s security program must be reduced to writing; three states required that an employee be specifically designated to maintain a security program. More importantly, the Federal Gramm Leach Bliley Act (“GLBA”) contains broad requirements that mimic many of the Proposals provisions. This includes, for example, the requirement that a financial institution conduct a risk assessment and maintain data breach response procedures.

November 19, 2015

The Georgia Secretary of State posted a letter on its website on November 18, 2015 admitting that, on October 13, the office inadvertently released personal identifying information on registered voters in Georgia. While the letter does not actually spell out what information was released, a lawsuit filed in Fulton County Superior Court this week alleges that the information on the 6,184,281 Georgia voters includes:

voters full name

residential address or mailing address if that is different

race

gender

voter registration date

last date the person voted

their social security number

driver’s license number

date of birth.

The information had been provided on CDs to 12 groups, including political parties and journalists, in a release that normally would only include basic information, such as names, addresses, registration and the last time the person voted. Under normal circumstances, the Secretary of State makes such information available for $500 to interested individuals and entities.

The Secretary of State letter indicates that the office has retrieved all of the CDs that contained the information and has confirmed that none of the data was retained by or disseminated to any third parties. In a day and time when state and federal governments have aggressively pursued private companies for similar inadvertent disclosures, the Secretary of State may still face liability.

September 1, 2015

Authored by:

Categories

September 1, 2015

Digging a tunnel for a mile so that El Chapo could slip into the shaft through his shower and disappear from a high security Mexican prison is something you might expect a Hollywood screenwriter to come up with. Is it any more remarkable though than a cyber-criminal reaching all of the way around the world to try and slip into a bank’s or a customer of the bank’s computer system in order to initiate a wire transfer?

We live at a time when individuals and criminal gangs can reach across oceans and national boundaries to try and initiate unauthorized transfers of funds. Bankers understand that this is a hot topic and that the risk of cyber-fraud is what is currently keeping regulators awake at night. While a great deal of attention is now being focused on how to keep cyber criminals out of the bank, recent attacks on various public and private institutions illustrates the complexity of denying malefactors access.

In such an environment, bankers look to various risk management strategies including insurance coverage in the event a breach occurs. The first question many banks raise is about their existing insurance coverage Are we already covered under any of the myriad of existing policies we are required to maintain? For example, what about our general liability coverage? While there may be some exceptions, the typical general liability insurance policy that banks have traditionally purchased oftentimes contains an exclusion for losses incurred by data breaches or intrusions to bank networks. If your existing policy does not currently contain such an exclusion it is highly likely that on your next renewal the exclusion will be included. Thus, it is important for bankers to not only understand what their existing policy does or does not cover but also where industry trends are headed.

July 29, 2015

Authored by:

Categories

July 29, 2015

On June 30, 2015, the FFIEC released a Cybersecurity Assessment Tool and User’s Guide (“Guide”) intended “to help institutions identify their risks and assess their cybersecurity preparedness.” Financial institutions handling sensitive customer data should view this as a mixed blessing.

It is often said by technology and cybersecurity experts that the question is not whether a company will experience a security breach, but when. The important question then is how the company responds to that breach. One implication of these statements is that an institution should do the best that it can, but that no one should be punished too severely when the inevitable breach occurs. It was, after all, unavoidable.

The release of the Cybersecurity Assessment Tool arguably changes that analysis. Now there are more specific standards against which institutions may be judged. Those who fail to conduct an adequate cybersecurity risk assessment and implement appropriate controls can expect, when the inevitable security breach occurs, that plaintiffs and regulators will point to the Cybersecurity Assessment Tool as evidence that the institution failed to take appropriate steps to mitigate the risks.

May 7, 2015

Authored by:

Categories

May 7, 2015

FDIC bank examinations generally include a focus on the information technology (“IT”) systems of banks with a particular focus on information security. The federal banking agencies issued implementing Interagency Guidelines Establishing Information Security Standards (Interagency Guidelines) in 2001. In 2005, the FDIC developed the Information Technology—Risk Management Program (IT-RMP), based largely on the Interagency Guidelines, as a risk-based approach for conducting IT examinations at FDIC-supervised banks. The FDIC also uses work programs developed by the Federal Financial Institutions Examination Council (FFIEC) to conduct IT examinations of third party service providers (“TSPs”).

The FDIC Office of the Inspector General recently issued a report evaluating the FDIC’s capabilities regarding its approach to evaluating bank risk to cyberattacks. The FDIC’s supervisory approach to cyberattack risks involves conducting IT examinations at FDIC-supervised banks and their TSPs; staffing IT examinations with sufficient, technically qualified staff; sharing information about incidents and cyber risks with regulators and authorities; and providing guidance to institutions. The OIG report determined that the FDIC examination work focuses on security controls at a broad program level that, if operating effectively, help institutions protect against and respond to cyberattacks. The program-level controls include risk assessment, information security, audit, business continuity, and vendor management. The OIG noted, however, that the work programs do not explicitly address cyberattack risk.

The attorneys of Bryan Cave LLP make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.